Biblio

Embedded systems that communicate with each other over the internet and build up a larger, loosely coupled (hardware) system with an unknown configuration at runtime is often referred to as a cyberphysical system. Many of these systems can become, due to its associated risks during their operation, safety critical. With increased complexity of such systems, the number of configurations can either be infinite or even unknown at design time. Hence, a certification at design time for such systems that documents a safe interaction for all possible configurations of all participants at runtime can become unfeasible. If such systems come together in a new configuration, a mechanism is required that can decide whether or not it is safe for them to interact. Such a mechanism can generally not be part of such systems for the sake of trust. Therefore, we present in the following sections the SEnSE device, short for Secure and Safe Embedded, that tackles these challenges and provides a secure and safe integration of safety-critical embedded systems.

Monitoring systems are essential to understand and control the behaviour of systems and networks. Cyber-physical systems (CPS) are particularly delicate under that perspective since they involve real-time constraints and physical phenomena that are not usually considered in common IT solutions. Therefore, there is a need for publicly available monitoring tools able to contemplate these aspects. In this poster/demo, we present our initiative, called CPS-MT, towards a versatile, real-time CPS monitoring tool, with a particular focus on security research. We first present its architecture and main components, followed by a MiniCPS-based case study. We also describe a performance analysis and preliminary results. During the demo, we will discuss CPS-MT's capabilities and limitations for security applications.

Over the past decade, the reliance on Unmanned Aerial Systems (UAS) to carry out critical missions has grown drastically. With an increased reliance on UAS as mission assets and the dependency of UAS on cyber resources, cyber security of UAS must be improved by adopting sound security principles and relevant technologies from the computing community. On the other hand, the traditional avionics community, being aware of the importance of cyber security, is looking at new architecture and designs that can accommodate both the traditional safety oriented principles as well as the cyber security principles and techniques. It is with the effective and timely convergence of these domains that a holistic approach and co-design can meet the unique requirements of modern systems and operations. In this paper, authors from both the cyber security and avionics domains describe our joint effort and insights obtained during the course of designing secure and resilient embedded avionics systems.

In spite of numerous advantages of biometrics-based personal authentication systems over traditional security systems based on token or knowledge, they are vulnerable to attacks that can decrease their security considerably. In this paper, we propose a new hardware solution to protect biometric templates such as fingerprint. The proposed scheme is based on chaotic N × N grid multi-scroll system and it is implemented on Xilinx FPGA. The hardware implementation is achieved by applying numerical solution methods in our study, we use EM (Euler Method). Simulation and experimental results show that the proposed scheme allows a low cost image encryption for embedded systems while still providing a good trade-off between performance and hardware resources. Indeed, security analysis performed to the our scheme, is strong against known different attacks, such as: brute force, statistical, differential, and entropy. Therefore, the proposed chaos-based multiscroll encryption algorithm is suitable for use in securing embedded biometric systems.

The Internet of Things (IoT) holds great potential for productivity, quality control, supply chain efficiencies and overall business operations. However, with this broader connectivity, new vulnerabilities and attack vectors are being introduced, increasing opportunities for systems to be compromised by hackers and targeted attacks. These vulnerabilities pose severe threats to a myriad of IoT applications within areas such as manufacturing, healthcare, power and energy grids, transportation and commercial building management. While embedded OEMs offer technologies, such as hardware Trusted Platform Module (TPM), that deploy strong chain-of-trust and authentication mechanisms, still they struggle to protect against vulnerabilities introduced by vendors and end users, as well as additional threats posed by potential technical vulnerabilities and zero-day attacks. This paper proposes a pro-active policy-based approach, enforcing the principle of least privilege, through hardware Security Policy Engine (SPE) that actively monitors communication of applications and system resources on the system communication bus (ARM AMBA-AXI4). Upon detecting a policy violation, for example, a malicious application accessing protected storage, it counteracts with predefined mitigations to limit the attack. The proposed SPE approach widely complements existing embedded hardware and software security technologies, targeting the mitigation of risks imposed by unknown vulnerabilities of embedded applications and protocols.

Cyber physical systems are the key innovation driver for many domains such as automotive, avionics, industrial process control, and factory automation. However, their interconnection potentially provides adversaries easy access to sensitive data, code, and configurations. If attackers gain control, material damage or even harm to people must be expected. To counteract data theft, system manipulation and cyber-attacks, security mechanisms must be embedded in the cyber physical system. Adding hardware security in the form of the standardized Trusted Platform Module (TPM) is a promising approach. At the same time, traditional dependability features such as safety, availability, and reliability have to be maintained. To determine the right balance between security and dependability it is essential to understand their interferences. This paper supports developers in identifying the implications of using TPMs on the dependability of their system.We highlight potential consequences of adding TPMs to cyber-physical systems by considering the resulting safety, reliability, and availability. Furthermore, we discuss the potential of enhancing the dependability of TPM services by applying traditional redundancy techniques.

The article considers the approach to identifying potentially unsafe data in program code of embedded systems which can lead to errors and fails in the functioning of equipment. The sources of invalid data are revealed and the process of changing the status of this data in process of static code analysis is shown. The mechanism for annotating functions that operate on unsafe data is described, which allows to control the entire process of using them and thus it will improve the quality of the output code.

For decades, embedded systems, ranging from intelligence, surveillance, and reconnaissance (ISR) sensors to electronic warfare and electronic signal intelligence systems, have been an integral part of U.S. Department of Defense (DoD) mission systems. These embedded systems are increasingly the targets of deliberate and sophisticated attacks. Developers thus need to focus equally on functionality and security in both hardware and software development. For critical missions, these systems must be entrusted to perform their intended functions, prevent attacks, and even operate with resilience under attacks. The processor in a critical system must thus provide not only a root of trust, but also a foundation to monitor mission functions, detect anomalies, and perform recovery. We have developed a Lincoln Asymmetric Multicore Processing (LAMP) architecture, which mitigates adversarial cyber effects with separation and cryptography and provides a foundation to build a resilient embedded system. We will describe a design environment that we have created to enable the co-design of functionality and security for mission assurance.

Unlike traditional processors, embedded Internet of Things (IoT) devices lack resources to incorporate protection against modern sophisticated attacks resulting in critical consequences. Remote attestation (RA) is a security service to establish trust in the integrity of a remote device. While conventional RA is static and limited to detecting malicious modification to software binaries at load-time, recent research has made progress towards runtime attestation, such as attesting the control flow of an executing program. However, existing control-flow attestation schemes are inefficient and vulnerable to sophisticated data-oriented programming (DOP) attacks subvert these schemes and keep the control flow of the code intact. In this paper, we present LiteHAX, an efficient hardware-assisted remote attestation scheme for RISC-based embedded devices that enables detecting both control-flow attacks as well as DOP attacks. LiteHAX continuously tracks both the control-flow and data-flow events of a program executing on a remote device and reports them to a trusted verifying party. We implemented and evaluated LiteHAX on a RISC-V System-on-Chip (SoC) and show that it has minimal performance and area overhead.

ARM devices (mobile phone, IoT devices) are getting more popular in our daily life due to the low power consumption and cost. These devices carry a huge number of user's private information, which attracts attackers' attention and increase the security risk. The operating systems (e.g., Android, Linux) works out many memory data protection strategies on user's private information. However, the monolithic OS may contain security vulnerabilities that are exploited by the attacker to get root or even kernel privilege. Once the kernel privilege is obtained by the attacker, all data protection strategies will be gone and user's private information can be taken away. In this paper, we propose a hardened memory data protection framework called H-Securebox to defeat kernel-level memory data stolen attacks. H-Securebox leverages ARM hardware virtualization technique to protect the data on the memory with hypervisor privilege. We designed three types H-Securebox for programing developers to use. Although the attacker may have kernel privilege, she can not touch private data inside H-Securebox, since hypervisor privilege is higher than kernel privilege. With the implementation of H-Securebox system assisting by a tiny hypervisor on Raspberry Pi2 development board, we measure the performance overhead of our system and do the security evaluations. The results positively show that the overhead is negligible and the malicious application with root or kernel privilege can not access the private data protected by our system.

Having an effective security level for Embedded System (ES), helps a reliable and stable operation of this system. In order to identify, if the current security level for a given ES is effective or not, we need a proactive evaluation for this security level. The evaluation of the security level for ESs is not straightforward process, things like the heterogeneity among the components of ES complicate this process. One of the productive approaches, which overcame the complexity of evaluation for Security, Privacy and Dependability (SPD) is the Multi Metrics (MM). As most of SPD evaluation approaches, the MM approach bases on the experts knowledge for the basic evaluation. Regardless of its advantages, experts evaluation has some drawbacks, which foster the need for less experts-dependent evaluation. In this paper, we propose a framework for security measurability as a part of security, privacy and dependability evaluation. The security evaluation based on Multi Metric (MM) approach as being an effective approach for evaluations, thus, we call it MM framework. The art of evaluation investigated within MM framework, based also on systematic storing and retrieving of experts knowledge. Using MM framework, the administrator of the ES could evaluate and enhance the S-level of their system, without being an expert in security.

Cyber-physical systems connect the physical world and the information world by sensors and actuators. These sensors are usually small embedded systems which have many limitations on wireless communication, computing and storage. This paper proposes a lightweight coding method for secure and reliable transmission over a wireless communication links in cyber-physical systems. The reliability of transmission is provided by forward error correction. And to ensure the confidentiality, we utilize different encryption matrices at each time of coding which are generated by the sequence number of packets. So replay attacks and other cyber threats can be resisted simultaneously. The issues of the prior reliable transmission protocols and secure communication protocols in wireless networks of a cyber-physical system are reduced, such as large protocol overhead, high interaction delay and large computation cost.

Vehicular ad hoc network is based on MANET all the vehicle to vehicle and vehicle roadside are connected to the wireless sensor network. In this paper mainly discuss on the security in the VANET in the lightweight cloud environment. Moving vehicle on the roadside connected through the sensor nodes and to provide communication between the vehicles and directly connected to the centralized environment. We propose a new approach to share the information in the VANET networks in secure manner through cloud.

Software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/Stateflow into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for Simulink and an integration of Simulink/Stateflow (S/S) within the same too lchain. S/S models are transformed, based on the extended ERT constraints with probability parameters, into verifiable UPPAAL-SMC models and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using Simulink Design Verifier and UPPAAL-SMC. Our approach is demonstrated on the autonomous traffic sign recognition vehicle case study.

The evolution of convolutional neural networks (CNNs) into more complex forms of organization, with additional layers, larger convolutions and increasing connections, established the state-of-the-art in terms of accuracy errors for detection and classification challenges in images. Moreover, as they evolved to a point where Gigabytes of memory are required for their operation, we have reached a stage where it becomes fundamental to understand how their inference capabilities can be impaired if data elements somehow become corrupted in memory. This paper introduces fault-injection in these systems by simulating failing bit-cells in hardware memories brought on by relaxing the 100% reliable operation assumption. We analyze the behavior of these networks calculating inference under severe fault-injection rates and apply fault mitigation strategies to improve on the CNNs resilience. For the MNIST dataset, we show that 8x less memory is required for the feature maps memory space, and that in sub-100% reliable operation, fault-injection rates up to 10-1 (with most significant bit protection) can withstand only a 1% error probability degradation. Furthermore, considering the offload of the feature maps memory to an embedded dynamic RAM (eDRAM) system, using technology nodes from 65 down to 28 nm, up to 73 80% improved power efficiency can be obtained.

Software attacks are commonly performed against embedded systems in order to access private data or to run restricted services. In this work, we demonstrate some vulnerabilities of commonly use processor which can be leveraged by hackers to attack a system. The targeted devices are based on open processor architectures OpenRISC and RISC-V. Several software exploits are discussed and demonstrated while a hardware countermeasure is proposed and validated on OpenRISC against Return Oriented Programming attack.

Artificial software diversity is an effective way to prevent software vulnerabilities and errors to be exploited in code-reuse attacks. This is achieved by lowering the individual probability of a successful attack to a level that makes the attack unfeasible. Unfortunately, the existing approaches are not applicable to safety-critical real-time systems as they induce unacceptable performance overheads, they violate safety and timing guarantees, or they assume hardware resources which are typically not available in embedded systems. To overcome these problems, we propose a safe diversity approach that preserves the timing properties of real-time processes by controlling its impact on the worst case execution time (WCET). Our main idea is to use block-level diversity with a large, but fixed set of movable instruction sequences, and to use static WCET analysis to identify non-critical areas of code where it can safely be split into more movable instruction sequences.

IoT (Internet of Things) is a network of interconnected devices, designed to collect and exchange data which can then turn it into information, eventually into wisdom. IoT is a region where digital world converges with physical world. With the evolution of IoT, it is expected to create substantial impact on human lives. IoT ecosystem produces and exchanges sizeable data due to which IoT becomes an attractive target for adversary. The large-scale interconnectivity leads to various potential risk related to information security. Security assurance in IoT ecosystem is one of the major challenges to address. In this context, embedded security becomes a key issue in IoT devices which are constrained in terms of processing, power, memory and bandwidth. The focus of this paper is on the recommended design considerations for constrained IoT devices with the objective to achieve security by default. Considering established set of protocols along with best practices during design and development stage can address majority of security challenges.

Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embedded devices. In this paper, we propose a lightweight method for detecting anomalous executions using a distribution of system call frequencies. We use a cluster analysis to learn the legitimate execution contexts of embedded applications and then monitor them at run-time to capture abnormal executions. Our prototype applied to a real-world open-source embedded application shows that the proposed method can effectively detect anomalous executions without relying on sophisticated analyses or affecting the critical execution paths.

Embedded systems are prone to security attacks from their limited resources available for self-protection and unsafe language typically used for application programming. Attacks targeting control flow is one of the most common exploitations for embedded systems. We propose a hardware-level, effective, and low overhead countermeasure to mitigate these types of attacks. In the proposed method, a Built-in Secure Register Bank (BSRB) is introduced to the processor micro-architecture to store the return addresses of subroutines. The inconsistency on the return addresses will direct the processor to select a clean copy to resume the normal control flow and mitigate the security threat. This proposed countermeasure is inaccessible for the programmer and does not require any compiler support, thus achieving better flexibility than software-based countermeasures. Experimental results show that the proposed method only increases the area and power by 3.8% and 4.4%, respectively, over the baseline OpenRISC processor.

Wearable medical devices are playing more and more important roles in healthcare. Unlike the wired connection, the wireless connection between wearable devices and the remote servers are exceptionally vulnerable to malicious attacks, and poses threats to the safety and privacy of the patient health data. Therefore, wearable medical devices require the implementation of reliable measures to secure the wireless network communication. However, those devices usually have limited computational power that is not comparable with the desktop computer and thus, it is difficult to adopt the full-fledged security algorithm in software. In this study, we have developed an efficient authentication and encryption protocol for internetconnected wearable devices using the recognized standards of AES and SHA that can provide two-way authentication between wearable device and remote server and protection of patient privacy against various network threats. We have tested the feasibility of this protocol on the TI CC3200 Launchpad, an evaluation board of the CC3200, which is a Wi-Fi capable microcontroller designed for wearable devices and includes a hardware accelerated cryptography module for the implementation of the encryption algorithm. The microcontroller serves as the wearable device client and a Linux computer serves as the server. The embedded client software was written in ANSI C and the server software was written in Python.

Data Deduplication provides lots of benefits to security and privacy issues which can arise as user's sensitive data at risk of within and out of doors attacks. Traditional secret writing that provides knowledge confidentiality is incompatible with knowledge deduplication. Ancient secret writing wants completely different users to encode their knowledge with their own keys. Thus, identical knowledge copies of completely different various users can result in different ciphertexts that makes Deduplication not possible. Convergent secret writing has been planned to enforce knowledge confidentiality whereas creating Deduplication possible. It encrypts/decrypts a knowledge copy with a confluent key, that is obtained by computing the cryptographical hash price of the content of the information copy. Once generation of key and encryption, the user can retain the keys and send ciphertext to cloud.

Complex safety-critical devices require dependable communication. Dependability includes confidentiality and integrity as much as safety. Encrypting gateways with demilitarized zones, Multiple Independent Levels of Security architectures and the infamous Air Gap are diverse integration patterns for safety-critical infrastructure. Though resource restricted embedded safety devices still lack simple, certifiable, and efficient cryptography implementations. Following the recommended formal methods approach for safety-critical devices, we have implemented proven cryptography algorithms in the qualified model based language Scade as the Safety Leveraged Implementation of Data Encryption (SLIDE) library. Optimization for the synchronous dataflow language is discussed in the paper. The implementation for public-key based encryption and authentication is evaluated for real-world performance. The feasibility is shown by execution time benchmarks on an industrial safety microcontroller platform running a train control safety application.

In this paper, we propose a lightweight multi-receiver encryption scheme for the device to device communications on Internet of Things (IoT) applications. In order for the individual user to control the disclosure range of his/her own data directly and to prevent sensitive personal data disclosure to the trusted third party, the proposed scheme uses device-generated public keys. For mutual authentication, third party generates Schnorr-like lightweight identity-based partial private keys for users. The proposed scheme provides source authentication, message integrity, replay-attack prevention and implicit user authentication. In addition to more security properties, computation expensive pairing operations are eliminated to achieve less time usage for both sender and receiver, which is favourable property for IoT applications. In this paper, we showed a proof of security of our scheme, computational cost comparison and experimental performance evaluations. We implemented our proposed scheme on real embedded Android devices and confirmed that it achieves less time cost for both encryption and decryption comparing with the existing most efficient certificate-based multi-receiver encryption scheme and certificateless multi-receiver encryption scheme.

We have proposed a method of designing embedded clock-cycle-sensitive Hardware Trojans (HTs) to manipulate finite state machine (FSM). By using pipeline to choose and customize critical path, the Trojans can facilitate a series of attack and need no redundant circuits. One cannot detect any malicious architecture through logic analysis because the proposed circuitry is the part of FSM. Furthermore, this kind of HTs alerts the trusted systems designers to the importance of clock tree structure. The attackers may utilize modified clock to bypass certain security model or change the circuit behavior.